US10970403B1ActiveUtility

Forensic investigation tool

65
Assignee: USAAPriority: Sep 20, 2007Filed: Jun 27, 2019Granted: Apr 6, 2021
Est. expirySep 20, 2027(~1.2 yrs left)· nominal 20-yr term from priority
G06F 21/105G06F 21/602G06F 21/123G06F 12/1408G06F 2212/1052
65
PatentIndex Score
0
Cited by
39
References
19
Claims

Abstract

Methods and systems are disclosed a digital investigation tool capable of recovering and decrypting content. The tool combines digital techniques with decryption capability for a wide range of encryption algorithms. In one implementation, the tool identifies the type and/or vendor of the encryption algorithm used to protect the content. The tool then automatically obtains the decryption information needed to decrypt the content. Depending on the encryption algorithm used, the information may include a master key, user-specific keys, user IDs, passwords, and the like. The decryption information may be accumulated in a local or remote storage location accessible by the tool, or it may be acquired in real time on an as-needed basis from a third-party encryption vendor, a key server, and the like. Such an arrangement allows law enforcement agencies as well as corporate security personnel to quickly recover and decrypt content stored on a computer system.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method comprising:
 determining, by at least one processing device, that a content item is encrypted; 
 identifying, by the at least one processing device, an encryption tool used in encrypting the content item based on a file format of the content item; 
 retrieving, by the at least one processing device, a decryption key for decrypting the content item based on the identified encryption tool, wherein the retrieving comprises:
 obtaining, from data input into a plurality of fields on a website, (i) a first username of a first authenticator and a first authentication code corresponding to the first authenticator, and (ii) a second username of a second authenticator and a second authentication code corresponding to the second authenticator, 
 authenticating each of the first username of the first authenticator, the first authentication code corresponding to the first authenticator, the second username of the second authenticator and the second authentication code corresponding to the second authenticator, 
 responsive to the authenticating based on the data input into the plurality of fields of the website, accessing a repository of decryption information, the repository storing a plurality of decryption keys, 
 retrieving the decryption key from the accessed repository of decryption information based on the identified encryption tool, and 
 
 decrypting the encrypted content item using the retrieved decryption key. 
 
     
     
       2. The method of  claim 1 , wherein the encryption tool is identified based on information in a header portion of the content item. 
     
     
       3. The method of  claim 1 , wherein the decryption information comprises a cryptography key. 
     
     
       4. The method of  claim 3 , wherein the cryptography key is used for generating the encrypted content item using the encryption tool. 
     
     
       5. The method of  claim 1 , wherein retrieving the decryption key further comprises:
 identifying, by the at least one processing device, a vendor associated with the encryption tool; 
 automatically providing, to the vendor, identification information associated with the encryption tool; and 
 receiving, in response to providing the identification information, the decryption key. 
 
     
     
       6. The method of  claim 1 , further comprising processing decrypted content item for evidence that may be used in a criminal or civil proceeding. 
     
     
       7. The method of  claim 1 , wherein the content item comprises one of: data, text, images, video, and audio. 
     
     
       8. The method of  claim 1 , wherein the content item is encrypted using one of: an encryption process, a compression process, or a copy protection process. 
     
     
       9. A system comprising:
 at least one processing device; and 
 a computer-readable medium coupled to the at least one processing device having instructions stored thereon which, when executed by the at least one processing device, cause the at least one processing device to perform operations comprising:
 determining that a content item is encrypted; 
 identifying an encryption tool used in encrypting the content item based on a file format of the content item; 
 retrieving a decryption key for decrypting the content item based on the identified encryption tool, wherein the retrieving comprises:
 obtaining, from data input into a plurality of fields on a website, (i) a first username of a first authenticator and a first authentication code corresponding to the first authenticator, and (ii) a second username of a second authenticator and a second authentication code corresponding to the second authenticator, 
 authenticating each of the first username of the first authenticator, the first authentication code corresponding to the first authenticator, the second username of the second authenticator and the second authentication code corresponding to the second authenticator, 
 responsive to the authenticating based on the data input into the plurality of fields of the website, accessing a repository of decryption information, the repository storing a plurality of decryption keys, 
 retrieving the decryption key from the accessed repository of decryption information based on the identified encryption tool, and 
 
 decrypting the encrypted content item using the retrieved decryption key. 
 
 
     
     
       10. The system of  claim 9 , wherein the encryption tool is identified based on information in a header portion of the content item. 
     
     
       11. The system of  claim 9 , wherein the decryption information comprises a cryptography key. 
     
     
       12. The system of  claim 11 , wherein the cryptography key is used for generating the encrypted content item using the encryption tool. 
     
     
       13. The system of  claim 9 , wherein retrieving the decryption key further comprises:
 identifying, by the at least one processing device, a vendor associated with the encryption tool; 
 automatically providing, to the vendor, identification information associated with the encryption tool; and 
 receiving, in response to providing the identification information, the decryption key. 
 
     
     
       14. The system of  claim 9 , wherein the operations further comprise: processing the decrypted content item for evidence for use in a criminal or civil proceeding. 
     
     
       15. The system of  claim 9 , wherein the content item is encrypted using one of: an encryption process, a compression process, or a copy protection process. 
     
     
       16. A non-transitory computer-readable medium coupled to at least one processing device having instructions stored thereon which, when executed by the at least one processing device, cause the at least one processing device to perform operations comprising:
 determining that a content item is encrypted; 
 identifying an encryption tool used in encrypting the content item based on a file format of the content item; 
 retrieving a decryption key for decrypting the content item based on the identified encryption tool, wherein the retrieving comprises:
 obtaining, from data input into a plurality of fields on a website, (i) a first username of a first authenticator and a first authentication code corresponding to the first authenticator, and (ii) a second username of a second authenticator and a second authentication code corresponding to the second authenticator, 
 authenticating each of the first username of the first authenticator, the first authentication code corresponding to the first authenticator, the second username of the second authenticator and the second authentication code corresponding to the second authenticator, 
 responsive to the authenticating based on the data input into the plurality of fields of the website, accessing a repository of decryption information, the repository storing a plurality of decryption keys, 
 retrieving the decryption key from the accessed repository of decryption information based on the identified encryption tool, and 
 
 decrypting the encrypted content item using the retrieved decryption key. 
 
     
     
       17. The non-transitory computer-readable medium of  claim 16 , wherein retrieving the decryption key further comprises:
 identifying a vendor associated with the encryption tool; 
 automatically providing, to the vendor, identification information associated with the encryption tool; and 
 receiving, in response to providing the identification information, the decryption key. 
 
     
     
       18. The non-transitory computer-readable medium of  claim 16 , wherein the operations further comprise: processing the decrypted content item for evidence for use in a criminal or civil proceeding. 
     
     
       19. The non-transitory computer-readable medium of  claim 16 , wherein the content item is encrypted using one of: an encryption process, a compression process, or a copy protection process.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.